Security techniques for biometric keyboard with continuous reading from in-line fingerprint sensors

The present disclosure relates to security methods used with biometric keyboards to identify users.

Prompting a user for biometrics is often an interrupt driven process. Fingerprint scanning may be used to provide multi-factor authentication via biometrics, but fingerprint readers are often embedded on non-typing keys of a keyboard. In this case, a user inconveniently repositions his or her hands onto the fingerprint reader, and waits for a fingerprint reading result. Conventional keyboard fingerprint scanning techniques do not provide full identity and authentication protection in a convenient, seamless, and efficient manner.

In an embodiment, a method comprises: at a workstation with a biometric keyboard that has keys with fingerprint readers: accepting a login to the workstation by a first user; receiving, from the fingerprint readers, first fingerprint readings indictive of first fingerprints of the first user responsive to typing on the keys by the first user; upon first determining the first fingerprint readings match known first fingerprints for the first user, authenticating the first user as an authorized user; receiving, from the fingerprint readers, second fingerprint readings indicative of second fingerprints of a second user responsive to typing on the keys by the second user; and upon second determining that the second fingerprint readings do not match the known first fingerprints of the first user, automatically logging-out the first user to prevent the first user from using the workstation.

is a diagram of an example computer environmentin which security techniques using a biometric keyboard with continuous reading from in-line fingerprint sensors (also referred to as “fingerprint readers”) may be implemented. Computer environmentincludes a computer device or workstationcoupled with networkover which the workstation may communicate. Networkmay include one or more wide area networks (WANs), such as the Internet, and one or more local area networks (LANs). Workstationincludes a display, a biometric keyboard, and a controllercoupled to and configured to communicate with the display and the biometric keyboard. Biometric keyboardincludes biometric keys(also denoted as biometric keys K) on which a user may type to interface with controller. Biometric keysinclude fingerprint readers(also denoted as fingerprint readers R) embedded in, or in-line with, the biometric keys. Biometric keysand fingerprint readersare electrically coupled to controllerand configured to transmit to the controller key-specific signals when pressed by a user, as is known. The signals convey the identities of the pressed keys and fingerprint readings made by fingerprint readers. In an example, biometric keysmay include lettered and numbered keys of biometric keyboard, such as QWERTY keys, a spacebar, and so on.

Fingerprint readersare configured to read or detect fingerprints on fingers that touch the fingerprint readers, and transmit the read/detected fingerprints to controller. In an example, fingerprint readerstransmit the detected fingerprints (i.e., “fingerprint reads”) as fingerprint image information (i.e., “fingerprint images”) to controller. Biometric keysand their interfaces to controllermay be configured according to any known or hereafter developed biometric keys and corresponding interfaces for a biometric keyboard.

Workstationhosts or otherwise has access to a user application, fingerprint profiles, and an authorized user list. Workstationalso hosts an identity provider (IDP)(also referred to as an “IDP module”) configured to identify and authenticate users based on their fingerprint readings (i.e., received fingerprint images), fingerprint profiles, and authorized user list, as described below. Fingerprint profilesincludes predetermined fingerprint profiles for corresponding users. A fingerprint profile includes known fingerprint images for different fingers of a left hand and a right hand of a user. Thus, a full fingerprint profile for the user includes up to ten different known fingerprints (e.g., for the index fingers, middle fingers, ring fingers, thumbs, and so on). The fingerprint profile is mapped to an identity of the user (i.e., a user identity, such as a user name or other unique user identifier). Authorized user listlists users who are authorized to use workstation, user application, and other services accessible through the workstation. For example, authorized user listincludes user identities of the users who are authorized for such access.

At a high level, as a user repeatedly types on biometric keys, IDPrepeatedly collects/receives from fingerprint readersfingerprint readings (i.e., received fingerprint images) in real-time. To identify the user, IDPsearches fingerprint profilesfor a fingerprint profile that matches the fingerprint readings. When a matching fingerprint profile is found, IDPaccesses a user identity associated with the fingerprint profile. Next, IDPsearches for the user identity in authorized user list. When a matching user identity is found, IDPauthenticates the user to the entities for which the user identity is authorized (e.g., to workstation, user application, and so on). By performing always-on and continuous biometric reading using biometric keyboard, the user can provide multi-factor authentication without having to otherwise relocate his or her hands to a dedicated fingerprint reader that is not a usual typing key or perform additional inconvenient movements or tasks. Other identification and authentication techniques are described in further detail below.

is a flow diagram of an example methodof zero-trust enforcement with repeated identity detection and authentication using biometric keyboard.

A user, i.e., user A, performs a successful login onto workstation. This may include a successful login into user application. At, IDPidentifies and authenticates user A using the following operations. AtA, user A interfaces with (i.e., finger-types on) biometric keys. AtB, IDPcollects/receives partial fingerprint readings across biometric keys. This can occur often when fast typing results in a partial hit of a fingertip on a fingerprint reader. IDPaggregates/accumulates the partial fingerprint readings into a cumulative fingerprint reading, as will be described below. AtC, IDPidentifies user A based on the fingerprint profilesand the aforementioned cumulative fingerprint reading. That is, IDPdetermines that the cumulative fingerprint matches a prestored fingerprint profile for user A. IDPaccess the identity of user A from the fingerprint profile. AtD, IDPauthenticates user A using the identity of user A against authorized user list. That is, IDPsearches for and finds the identity of user A in authorized user list. Authorized user listlists the various entities to which user A is authorized.

At, user A abandons his or her location near biometric keyboard, as follows. AtA, user A stops typing on biometric keyboard. AtB, user A remains logged in at workstationand user application. AtC, predetermined inactivity timeout periods (e.g., 15 minutes) for a workstation screen/keyboard lock, an operating system lock, and for de-authentication of user A have not yet occurred/taken place. Therefore, user A's existing authentication persist.

At, an intruder, i.e., user B, attempts to use workstationin user A's absence, which triggers ongoing verification through biometric keyboard. AtA, the intruder, user B, arrives at biometric keyboardwith an intent to access various systems (collectively “the system”) under user A's privileges. AtB, user B begins typing on biometric keys, which initiates ongoing identification and authentication as described above. AtC, partial fingerprint analysis performed by IDPfor user B (i.e., on fingerprint readings of user B) does not match the fingerprint profile of authenticated user A.

At, zero-trust is enforced through de-authentication of user A, as follows. IDPdetermines whether the fingerprint readings for user B match a fingerprint profile for user B in fingerprint profiles. AtA, when the fingerprint readings for user B match a fingerprint profile of user B, IDP(i) performs of an automatic logout of user A from the system (e.g., from workstationand user application), (ii) de-authenticates user A, (iii) retrieves an identity of user B from the fingerprint profile for user B, and (iv) uses the identity of user B to authenticate user B. On the other hand, when the fingerprint readings for user B do not match a fingerprint profile for user B, atB, IDP(i) performs a logout of user A from the system (e.g., from workstationand user application), (ii) de-authenticates user A, and (iii) locks features of workstation, e.g., display, biometric keyboard, and/or the operating system. AtC, IDPsends a notification that user B is attempting to access the system, e.g., sends a silent alarm, security incident, and so on.

is a flowchart of an example methodof partial fingerprint matching performed on a user typing on biometric keyboard. An a priori configuration action stores into a fingerprint profile for the user individual known images of the fingerprints (i.e., known fingerprint images) for fingers of the user that are used for typing.

At, an authentication prompt is presented to the user on display. In response, the user types on biometric keys. At, a user's finger contacts one of biometric keys, which triggers the fingerprint reader in that biometric key to capture a fingerprint reading, and transmit the fingerprint readings to IDP. IDPstores the fingerprint reading in a fingerprint buffer of finite length (e.g., for 10 fingerprint reading slots). The fingerprint reading may convey only a partial fingerprint, i.e., only a portion of the corresponding known fingerprint image that is stored in the fingerprint profile.

At, IDPexecutes fingerprint matching to determine how well the fingerprint reading matches any known fingerprint images. To do this, IDPsearches the known fingerprint images for a match to the fingerprint reading, i.e., compares the fingerprint reading against each of the known fingerprint images looking for the match, based on similarity. The compare measures a percentage of fingerprint image area match between the fingerprint reading and the known fingerprint images. The compare produces a match score (also referred to as a “confidence” score), such as a match percentage. The match score ranges from 0% when there is no similarity to 100% when there is a complete or perfect match. IDPsums or accumulates the match score into a cumulative match score, which is initially set equal to zero. IDPcompares the cumulative match score to a security threshold. When the cumulative match score exceeds the security threshold indicating a strong/confident match, flow proceeds to. When the cumulative match score does not exceed the security threshold indicating there is not a strong match, flow proceeds to.

At, IDPaccess a user identity associated with the fingerprint profile, and authenticates the user using the user identity and authorized user list, as described above.

At, IDPrepeatedly collects more fingerprint readings as the user repeatedly types on biometric keys, stores the fingerprint readings in the fingerprint buffer, and repeatedly performs the fingerprint matching as described above with each fingerprint reading, to increase the cumulative match score toward the security threshold. For example, at,, and, IDPcollects fingerprint readings for a first instance of the left hand index finger, the right hand middle finger, and a second instance of the left hand index finger, respectively, and performs the fingerprint matching for each fingerprint reading.

At any time, when the cumulative match score exceeds the security threshold, flow proceeds to. Additionally, at, IDPtests whether the fingerprint buffer is full. When the fingerprint buffer if full and upon receiving a next fingerprint reading to be stored, flow proceeds to. At, IDPremoves the oldest fingerprint reading from the fingerprint buffer, decrements the cumulative match score by the individual match score of the discarded fingerprint reading (i.e., the oldest fingerprint reading and its match score), and adds to the cumulative match score the individual match score for the next (most recently received) fingerprint reading. Thus, the fingerprint buffer is configured as a “rolling” buffer or a first-in-first-out (FIFO), and the cumulative match score is implemented as a rolling match score.

shows an example rolling fingerprint bufferof length N=10 that stores a sequence of 8 fingerprint readings.shows a first rowof percentage match scores produced by IDPcorresponding to the fingerprint readings, a second rowthat identifies the best matching fingers of the user for the fingerprint readings, and a third rowthat shows cumulative match scores that increase/grow across the fingerprint readings. For example, (i) the first fingerprint reading has a 30% match to the right hand middle finger, and results in an initial cumulative match score of 0.30 (since it is the first fingerprint reading), (ii) the second fingerprint reading has an 8% match to the right hand ring finger, and results in a cumulative match score of 0.08+0.30=0.38 (since it is the second fingerprint reading), and so on. The eighth fingerprint reading results in a cumulative match score of 2.81, which exceeds a preconfigured security threshold of 2.5.

shows an example rolling fingerprint bufferof length N=10 that stores a sequence of 10 fingerprint readings, at the point when buffer overflow occurs.shows an oldest fingerprint readingthat is discarded upon collection of an 11fingerprint reading. The individual match score for oldest fingerprint readingis decremented from the cumulative match score, and the individual match score for the 11fingerprint reading is summed into the cumulative match score (thereby replacing the older match score). Therefore, only up to N match scores are summed. That is, only a limited number of consecutive match scores are summed (only match scores for fingerprint readings in the rolling buffer are summed), which prevents dozens of 1% readings from successfully authenticating a user.

is an illustration of a biometric keyboardthat includes biometric keys. The keyboard is a QWERTY keyboard with fingerprint readers embedded in most of the keys. In other examples, fewer fingerprint readers may be employed.

is a flowchart of an example methodof identifying and authenticating users using a biometric keyboard that has keys with fingerprint readers. Operations of methodare described above.

At, the workstation accepts a login by a first user.

At, the workstation receives, from the fingerprint readers, first fingerprint readings indictive of first fingerprints of the first user responsive to typing on the keys by the first user.

At, upon first determining that the first fingerprint readings match known first fingerprints for the first user, the workstation authenticates the first user as an authorized user. For example, upon first determining that the first fingerprint readings match the known first fingerprints, the workstation accesses a user identity of the first user that is mapped to the known first fingerprints, and then authenticates the first user based on the user identity and an authorized user list that includes the user identity.

At, the workstation receives, from the fingerprint readers, second fingerprint readings indicative of second fingerprints of a second user responsive to typing on the keys by the second user.

At, upon second determining that the second fingerprint readings do not match the known first fingerprints of the first user, the workstation automatically performs a logout of the first user (i.e., performs logging-out of the first user) to prevent the first user from using the workstation.

At, upon second determining that the second fingerprint readings do not match the known first fingerprints of the first user, and upon third determining that the second fingerprint readings do not match any known second fingerprints of the second user, the workstation places itself in lockdown. For example, the workstation may lock the screen, the keyboard, and or the operating system of the workstation. Additionally, the workstation may send an alarm to indicate that an unauthorized user is attempting to access the workstation.

At, upon second determining that the second fingerprint readings do not match the known first fingerprints of the first user, and upon fourth determining that the second fingerprint readings match known second fingerprints of the second user, the workstation authenticates the second user.

is a flowchart of an example methodof matching fingerprints performed at a workstation with a biometric keyboard that has keys with fingerprint readers.

At, the workstation receives different fingerprint readings for different fingers of a user.

At, the workstation compares the different fingerprint readings against different known fingerprints to produce individual match scores indicative of levels of similarity.

At, the workstation sums the individual match scores into a cumulative match score.

At, only upon determining that the cumulative match score exceeds a security threshold indicating that the user is known based on the different fingerprint readings, the workstation identifies the user. In an embodiment, the workstation sums the individual match scores for up to a number N (e.g., 10) of the fingerprint readings in a rolling fashion as the first fingerprint readings are received. Upon receiving N fingerprint readings and then receiving a next (e.g., 11) fingerprint reading, the workstation replaces an oldest one of the individual match scores for the fingerprint readings (e.g., for the 10fingerprint reading) with a next match score for the next first fingerprint reading (e.g., for the 11fingerprint reading).

Referring to,illustrates a hardware block diagram of a computing devicethat may perform functions associated with operations discussed herein in connection with the techniques depicted in. In various embodiments, a computing device or apparatus, such as computing deviceor any combination of computing devices, may be configured as any entity/entities as discussed for the techniques depicted in connection within order to perform operations of the various techniques discussed herein. For example, computing device may represent controllerof workstation, for example.

In at least one embodiment, the computing devicemay be any apparatus that may include one or more processor(s), one or more memory element(s), storage, a bus, one or more network processor unit(s)interconnected with one or more network input/output (I/O) interface(s), one or more I/O interface(s), and control logic. In various embodiments, instructions associated with logic for computing devicecan overlap in any manner and are not limited to the specific allocation of instructions and/or operations described herein.

In at least one embodiment, processor(s)is/are at least one hardware processor configured to execute various tasks, operations and/or functions for computing deviceas described herein according to software and/or instructions configured for computing device. Processor(s)(e.g., a hardware processor) can execute any type of instructions associated with data to achieve the operations detailed herein. In one example, processor(s)can transform an element or an article (e.g., data, information) from one state or thing to another state or thing. Any of potential processing elements, microprocessors, digital signal processor, baseband signal processor, modem, PHY, controllers, systems, managers, logic, and/or machines described herein can be construed as being encompassed within the broad term ‘processor’.

In at least one embodiment, memory element(s)and/or storageis/are configured to store data, information, software, and/or instructions associated with computing device, and/or logic configured for memory element(s)and/or storage. For example, any logic described herein (e.g., control logic) can, in various embodiments, be stored for computing deviceusing any combination of memory element(s)and/or storage. Note that in some embodiments, storagecan be consolidated with memory element(s)(or vice versa), or can overlap/exist in any other suitable manner.

In at least one embodiment, buscan be configured as an interface that enables one or more elements of computing deviceto communicate in order to exchange information and/or data. Buscan be implemented with any architecture designed for passing control, data and/or information between processors, memory elements/storage, peripheral devices, and/or any other hardware and/or software components that may be configured for computing device. In at least one embodiment, busmay be implemented as a fast kernel-hosted interconnect, potentially using shared memory between processes (e.g., logic), which can enable efficient communication paths between the processes.

In various embodiments, network processor unit(s)may enable communication between computing deviceand other systems, entities, etc., via network I/O interface(s)(wired and/or wireless) to facilitate operations discussed for various embodiments described herein. In various embodiments, network processor unit(s)can be configured as a combination of hardware and/or software, such as one or more Ethernet driver(s) and/or controller(s) or interface cards, Fibre Channel (e.g., optical) driver(s) and/or controller(s), wireless receivers/transmitters/transceivers, baseband processor(s)/modem(s), and/or other similar network interface driver(s) and/or controller(s) now known or hereafter developed to enable communications between computing deviceand other systems, entities, etc. to facilitate operations for various embodiments described herein. In various embodiments, network I/O interface(s)can be configured as one or more Ethernet port(s), Fibre Channel ports, any other I/O port(s), and/or antenna(s)/antenna array(s) now known or hereafter developed. Thus, the network processor unit(s)and/or network I/O interface(s)may include suitable interfaces for receiving, transmitting, and/or otherwise communicating data and/or information in a network environment.

I/O interface(s)allow for input and output of data and/or information with other entities that may be connected to computing device. For example, I/O interface(s)may provide a connection to external devices such as a keyboard (which may be biometric), keypad (which may be biometric), a touch screen, and/or any other suitable input and/or output device now known or hereafter developed. In some instances, external devices can also include portable computer readable (non-transitory) storage media such as database systems, thumb drives, portable optical or magnetic disks, and memory cards. In still some instances, external devices can be a mechanism to display data to a user, such as, for example, a computer monitor, a display screen, or the like.

In various embodiments, control logiccan include instructions that, when executed, cause processor(s)to perform operations, which can include, but not be limited to, providing overall control operations of computing device; interacting with other entities, systems, etc. described herein; maintaining and/or interacting with stored data, information, parameters, etc. (e.g., memory element(s), storage, data structures, databases, tables, etc.); combinations thereof; and/or the like to facilitate various operations for embodiments described herein.

The programs described herein (e.g., control logic) may be identified based upon application(s) for which they are implemented in a specific embodiment. However, it should be appreciated that any particular program nomenclature herein is used merely for convenience; thus, embodiments herein should not be limited to use(s) solely described in any specific application(s) identified and/or implied by such nomenclature.

In various embodiments, any entity or apparatus as described herein may store data/information in any suitable volatile and/or non-volatile memory item (e.g., magnetic hard disk drive, solid state hard drive, semiconductor storage device, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM), application specific integrated circuit (ASIC), etc.), software, logic (fixed logic, hardware logic, programmable logic, analog logic, digital logic), hardware, and/or in any other suitable component, device, element, and/or object as may be appropriate. Any of the memory items discussed herein should be construed as being encompassed within the broad term ‘memory element’. Data/information being tracked and/or sent to one or more entities as discussed herein could be provided in any database, table, register, list, cache, storage, and/or storage structure: all of which can be referenced at any suitable timeframe. Any such storage options may also be included within the broad term ‘memory element’ as used herein.

Note that in certain example implementations, operations as set forth herein may be implemented by logic encoded in one or more tangible media that is capable of storing instructions and/or digital information and may be inclusive of non-transitory tangible media and/or non-transitory computer readable storage media (e.g., embedded logic provided in: an ASIC, digital signal processing (DSP) instructions, software [potentially inclusive of object code and source code], etc.) for execution by one or more processor(s), and/or other similar machine, etc. Generally, memory element(s)and/or storagecan store data, software, code, instructions (e.g., processor instructions), logic, parameters, combinations thereof, and/or the like used for operations described herein. This includes memory element(s)and/or storagebeing able to store data, software, code, instructions (e.g., processor instructions), logic, parameters, combinations thereof, or the like that are executed to carry out operations (including generating GUIs for display and interacting with the GUIs) in accordance with teachings of the present disclosure.

In some instances, software of the present embodiments may be available via a non-transitory computer usable medium (e.g., magnetic or optical mediums, magneto-optic mediums, CD-ROM, DVD, memory devices, etc.) of a stationary or portable program product apparatus, downloadable file(s), file wrapper(s), object(s), package(s), container(s), and/or the like. In some instances, non-transitory computer readable storage media may also be removable. For example, a removable hard drive may be used for memory/storage in some implementations. Other examples may include optical and magnetic disks, thumb drives, and smart cards that can be inserted and/or otherwise connected to a computing device for transfer onto another computer readable storage medium.

Embodiments described herein may include one or more networks, which can represent a series of points and/or network elements of interconnected communication paths for receiving and/or transmitting messages (e.g., packets of information) that propagate through the one or more networks. These network elements offer communicative interfaces that facilitate communications between the network elements. A network can include any number of hardware and/or software elements coupled to (and in communication with) each other through a communication medium. Such networks can include, but are not limited to, any local area network (LAN), virtual LAN (VLAN), wide area network (WAN) (e.g., the Internet), software defined WAN (SD-WAN), wireless local area (WLA) access network, wireless wide area (WWA) access network, metropolitan area network (MAN), Intranet, Extranet, virtual private network (VPN), Low Power Network (LPN), Low Power Wide Area Network (LPWAN), Machine to Machine (M2M) network, Internet of Things (IoT) network, Ethernet network/switching system, any other appropriate architecture and/or system that facilitates communications in a network environment, and/or any suitable combination thereof.

Networks through which communications propagate can use any suitable technologies for communications including wireless communications (e.g., 4G/5G/nG, IEEE 802.11 (e.g., Wi-Fi®/Wi-Fi6®), IEEE 802.16 (e.g., Worldwide Interoperability for Microwave Access (WiMAX)), Radio-Frequency Identification (RFID), Near Field Communication (NFC), Bluetooth™, mm.wave, Ultra-Wideband (UWB), etc.), and/or wired communications (e.g., T1 lines, T3 lines, digital subscriber lines (DSL), Ethernet, Fibre Channel, etc.). Generally, any suitable means of communications may be used such as electric, sound, light, infrared, and/or radio to facilitate communications through one or more networks in accordance with embodiments herein. Communications, interactions, operations, etc. as discussed for various embodiments described herein may be performed among entities that may directly or indirectly connected utilizing any algorithms, communication protocols, interfaces, etc. (proprietary and/or non-proprietary) that allow for the exchange of data and/or information.

In various example implementations, any entity or apparatus for various embodiments described herein can encompass network elements (which can include virtualized network elements, functions, etc.) such as, for example, network appliances, forwarders, routers, servers, switches, gateways, bridges, loadbalancers, firewalls, processors, modules, radio receivers/transmitters, or any other suitable device, component, element, or object operable to exchange information that facilitates or otherwise helps to facilitate various operations in a network environment as described for various embodiments herein. Note that with the examples provided herein, interaction may be described in terms of one, two, three, or four entities. However, this has been done for purposes of clarity, simplicity and example only. The examples provided should not limit the scope or inhibit the broad teachings of systems, networks, etc. described herein as potentially applied to a myriad of other architectures.

Communications in a network environment can be referred to herein as ‘messages’, ‘messaging’, ‘signaling’, ‘data’, ‘content’, ‘objects’, ‘requests’, ‘queries’, ‘responses’, ‘replies’, etc. which may be inclusive of packets. As referred to herein and in the claims, the term ‘packet’ may be used in a generic sense to include packets, frames, segments, domains, and/or any other generic units that may be used to transmit communications in a network environment. Generally, a packet is a formatted unit of data that can contain control or routing information (e.g., source and destination address, source and destination port, etc.) and data, which is also sometimes referred to as a ‘payload’, ‘data payload’, and variations thereof. In some embodiments, control or routing information, management information, or the like can be included in packet fields, such as within header(s) and/or trailer(s) of packets. Internet Protocol (IP) addresses discussed herein and in the claims can include any IP version 4 (IPv4) and/or IP version 6 (IPv6) addresses.